Data privacy regulations have been a hot topic in the ever-changing discussion of consumer privacy. So far in 2021, 27 bills have been proposed in states which seek to implement new or change existing data privacy laws.[1] By comparison, only two state-level bills were introduced in all of 2018.[2]

One of those 2018 bills was the California Consumer Privacy Act (CCPA), a wide-reaching statute designed to enhance online consumer privacy for California residents.[3] On November 3, 2020, just nine months after the CCPA became enforceable,[4] California voters passed Prop 24 (also known as the California Privacy Rights Act or “CPRA”), which contains several significant changes to the CCPA.[5] However, businesses still have some time to study and adapt to these changes. The CPRA will only apply to personal information collected by a business on or after January 1st, 2022, and the CPRA does not become operative law until January 1st, 2023.[6] While not yet effective, there is no doubt the CPRA enhancements to the CCPA will be very impactful. Among other things, the CPRA changes what entities are required to comply with the CCPA and also establishes the California Privacy Protection Agency.[7]

CPRA Changes to Regulated Entities

To be regulated under the CCPA, a “business” as defined under California law must satisfy at least one of the following three conditions: (1) has annual gross revenue above twenty-five million dollars; (2) alone or in combination is involved in the buying, selling, or sharing of personal information of fifty-thousand or more consumers, households, or devices; or (3) derives fifty percent or more of its annual revenue from selling consumer’s personal information.[8]

The CPRA makes three fairly significant changes to these jurisdictional conditions.[9] The first is that the numeric threshold of “fifty thousand or more consumers, households, or devices” will be increased to one hundred thousand.[10] The second is that devices will no longer be considered when calculating the jurisdictional threshold.[11] The third is the addition of the phrase “or sharing” to regulate entities that derive fifty percent or more of their annual revenues from selling or sharing personal information.[12] In other words, entities will no longer be able to avoid compliance by claiming that more than fifty percent of their annual revenue comes from sharing information, and not selling it.

Creation of The California Privacy Protection Agency

Currently, the CCPA only allows individuals and the California Attorney General to bring claims alleging CCPA violations.[13] Despite the California AG having the authority to bring claims, though, that office is only equipped to handle a handful of cases per year.[14] Section 24 of the CPRA creates the California Privacy Protection Agency,[15] which will not only administer and enforce actions involving the CCPA but also promote public awareness of online security and provide guidance to consumers and businesses regarding their rights and duties under the CCPA.[16] The creation of an agency funded with ten million dollars to issue sanctions to companies that violate the CPRA should lessen the burden that is currently placed on the California Attorney General.[17]

Conclusion

The CCPA and CPRA have placed California at the forefront of state online consumer privacy laws. Given the large number of California residents (roughly one in eight U.S. residents live there) and businesses subject to these laws’ reach, the CPRA no doubt will increase the CCPA’s already profound impact on only consumer privacy protection. Time will tell the impact California’s approach will have on how other states create and change their consumer privacy laws. Such legislation likely has the impact to cause a ripple effect of creating guidelines as to what entities are governed as well as the creation of enforcement agencies. Contact Zasio today to see how our innovative products and services can help you remain compliant.

 

 

 

 

[1] David McCabe and Cecilia Kang, As Congress Dithers, States Step In to Set Rules for the Internet, N.Y. Times (May 14, 2021), https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html.

[2] Id.

[3] See Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (June 28, 2018), https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html.

[4] Id.

[5] See Cal. Legis. Serv. Proposition 24 (West 2020).

[6] Id.

[7] Id.

[8] See Cal. Civ. Code § 1798.140(c)(1)(A–C) (West 2020).

[9] See Cal. Legis. Serv. Proposition 24 (West 2020).

[10] Id.

[11] Id.

[12] Id.

[13] See Cal. Civ. Code § 1798.150–155 (West 2020).

[14] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

[15] Cal. Legis. Serv. Proposition 24 (West 2020).

[16] Cal. Legis. Serv. Proposition 24 (West 2020).

[17] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Virginia has just become the second U.S. state to enact a comprehensive privacy protection law. After passage by overwhelming majorities in both the Virginia Senate and House of Delegates, the Virginia Consumer Data Protection Act[1] (“VCDPA”) was signed into law by Governor Ralph Northam on March 2. While lawmakers in several other states like New York and Washington have proposed their own privacy bills, those efforts so far have hit various snags and stumbling blocks while winding their way through the legislative process that has thus far stalled their final passage into law.

Growing Trend of State-level Privacy Laws

The VCDPA is now the first broad state-level privacy law enacted since California’s CCPA. However, it is just the latest in the ongoing push among states to pass their own privacy legislation, spurred by the absence of any federal privacy legislation on par with the EU’s GDPR. It remains to be seen whether the resulting patchwork of state laws can effectively substitute the need for a comprehensive federal privacy law. As a sign that it may not, the VCDPA’s enforcement mechanisms invite concern that the law may not be tough enough to meaningfully change company behavior.

Numerous CCPA & GDPR Similarities, Some New Features

The VCPDA borrows many of the same key principles as California’s CCPA and the European Union’s GDPR. For example, it relies on a similarly expansive definition of personal data that includes any data or information that can be linked to an “identified or identifiable natural person” and carves out sanitized de-identified data. It also contains a similar bill of individual rights that includes the right to:

• know what personal data is being processed;
• correct or delete that data;
• obtain a portable copy of personal data;
• opt-out from having your personal data sold.

The VCDPA is applicable to any company that does business in Virginia or serves Virginia consumers (defined as natural persons residing in Virginia and acting in a non-commercial and non-employment capacity) and processes over 100,000 consumers’ data. This figure decreases to 25,000 consumers if a company earns over 50% of its gross revenue from selling personal data. This is similar to the CCPA’s standard of 50,000 consumers or 50% of revenue from selling personal data. However, while the CCPA has a monetary trigger that brings any company with gross revenue of at least $25 million under its purview, the VCPDA has no monetary trigger, which will allow some companies earning over $25m to avoid compliance.

The VCPDA also requires a person’s affirmative consent (known as an “opt-in”) before a company can process sensitive data. Under the VCPDA, sensitive data is defined as data showing racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, immigration status, genetic or biometric data, data collected from minors, and precise geolocation data. In contrast to the CCPA, a person’s opt-in under the VCPDA is required regardless of whether personal data is being sold.

A novel feature under the VCPDA is the requirement that controllers conduct a precautionary data protection assessment of any IT systems processing personal data for targeted advertising, sale of personal data, consumer profiling, or systems containing sensitive personal data or data that might cause a heightened risk of harm to the consumer. These checks will add another layer of defenses to help protect against the ever-intensifying efforts of cybercriminals.

Light-Touch Enforcement & Penalties for Opt-Outs

The VCPDA departs significantly from the CCPA’s formula for privacy regulation by not including any private right of action. Under the VCPDA, individual consumers who have been harmed by non-compliance will not be able to personally sue for civil damages. Instead, the law will be enforced exclusively by the Virginia attorney general’s office, which will have the power to levy fines of up to $7,500 per violation. But like the CCPA, offenders can cure any violations during a 30-day period to avoid paying a fine.

Also, under the CCPA, lawyers can band together hundreds or thousands of CCPA-affected Californians to form class action lawsuits against an offending company, and collectively seek millions of dollars in damages. This serves as a major deterrent against non-compliance. In contrast, under the VCDPA, the class action lawsuit threat is not present. Further still, crafting a lawsuit requires a significant amount of time and expense to organize, but a curative action undertaken within thirty days can completely negate the lawsuit and make it disappear. This would tend to strongly disincentivize lawsuits and blunt the VCDPA’s enforcement heft.

Another key difference between the CCPA and VCDPA is while both laws prohibit overt discrimination against consumers who exercise their opt-out rights (a company cannot change the rates, prices, or quality of goods and services that are offered to a consumer), it explicitly allows this kind of discrimination when the consumer’s choice prevents them from getting targeted advertising or from enrolling in a voluntary loyalty program. In other words, if processing or selling a consumer’s personal data is a prerequisite to participating in a company’s loyalty rewards program or targeted marketing, an opt-out can potentially leave consumers out in the cold on special prices or promotional offers that their less privacy-conscious peers may enjoy.

Taken as a whole, the VCDPA reveals a markedly different and more permissive enforcement landscape for companies when compared to the CCPA. The VCDPA is set to go into effect on January 1, 2023.

Conclusion

Once two states have taken the plunge by enacting big-ticket privacy laws, expect that others will surely follow. Presently, more than a dozen states continue to work on their own privacy laws. As more states pass privacy laws with their own eccentricities, the growing complexity caused by an overlapping patchwork of state requirements may increase pressure on Congress to set a baseline to which all personal data processors must adhere. With single-party control of the White House and both houses of Congress, the likelihood of passing comprehensive federal privacy legislation now may be greater than ever.

[1] https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392+pdf

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Privacy may very well be the fastest-growing area of law so far in the 21^st century. While the US, at the federal level, has resisted a broad privacy law similar to the GDPR, momentum is steadily gaining for privacy legislation at the state level. This blog explores US privacy law’s recent developments from a records and information management (RIM) perspective.

I. Recently Enacted Privacy Legislation

The number of new bills introduced in 2020 broadly regulating privacy illustrates the subject’s popularity. In 2020 there were more than 20 privacy bills introduced at the state level in the US.[1] Federally, there were dozens of bills and discussion drafts introduced during the last two sessions of congress.[2] While most of the recent broad privacy bills met their demise in legislative committees, here are some of the ones that survived and became law.

California’s Privacy Rights Act (CPRA)

The biggest development in US privacy law in 2020 was the passage of the CRPA by ballot initiative during the November election. The CPRA amends the California Consumer Privacy Act (CCPA) in major ways. Here is a summary of these changes:

• New Privacy Authority Created: The CPRA creates the California Privacy Protection Agency (CPPA) and grants it the authority to enforce the act by making rules and investigating non-compliance.[3]
• Creates New Sensitive Personal Information Category: The CRPA provides stricter requirements for sensitive PI, with stricter use and disclosure provisions than regular PI, including Consumers’ ability to restrict use and disclosure for some purposes. Examples of sensitive PI include social security numbers, identification numbers from identification cards such as passports and licenses, financial account information, race, ethnic origin, religion, and genetic information, and precise location information, among others.[4]
• Expanded Rights for Consumers: In addition to their ability to restrict the use of sensitive PI, consumers have several new and expanded rights under the CRPA. These include new rights to correct inaccurate PI, expanded rights to delete PI from third parties, and expanded/modified rights to know, opt-out, notice of collection, and request deletion of PI.[5]
• Revised Regulated Party: The CRPA expands regulated business activities to include parties receiving PI. The CCPA only included parties who buy, sell, or share PI. The CPRA also expands regulated business activities by revising the deriving at least 50 percent of income from selling PI threshold to include profits from sharing PI. However, the CPRA excludes many small businesses previously covered under the CCPA by increasing the threshold number of consumers or households from 50,000+ to 100,000+.[6]
• PI Retention Changes: CPRA has some retention changes similar to requirements in the GDPR. Under the CPRA, businesses now are prohibited from keeping PI unless it’s reasonably necessary to meet a disclosed purpose. Further, businesses must specify the criteria used to determine the retention period for PI categories or the retention period itself at the time of collection.[7]

Like the CCPA, there is a window before the CPRA becomes effective, allowing businesses time to implement compliance measures. The CPRA will become effective on January 1, 2023.

Maine Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301)

Maine passed a privacy act in 2019, restricting the collection, retention, use, disclosure, sale, or access to customer PI by broadband internet access services. This act provides exceptions, including consent, providing services related to the purpose for collection, direct advertising, and several others.  It also includes requirements for security and protection of consumer PI lawfully collected.[8]

Nevada Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A)

Nevada revised its PI security law by enhancing requirements for state government controls in the “collection, dissemination and maintenance” of PI.[9]

II. U.S. Privacy Law Trends Leading Into 2020

The year 2020 highlighted an ongoing trend in U.S. privacy laws. For reference, the following includes a summary of additional privacy laws generally applicable to businesses and employers that impact PI retention:

Illinois Biometric Information Privacy Act (740 ILCS 14/)

Section 15 of this law on “Retention; collection; disclosure; destruction” requires private entities possessing biometric identifiers to have a retention schedule specifying disposition “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”[10]

Maryland: COMAR 09.12.22.01

This law from Maryland requires employers to retain PI medical information “only for the time needed to accomplish the purpose for access.”[11]

New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act): NY CLS Gen Bus 899-aa and 899-bb

The SHEILD Act requires businesses owning or licensing computerized data containing PI to dispose of the PI “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”[12]

Texas: Tex. Bus. & Com. Code 503.001

This Texas legislation requires persons possessing biometric identifiers of individuals collected for a commercial purpose to “destroy it within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires.”[13]

Utah: Utah Code Ann. 34-46-203

Utah’s latest enacted privacy legislation requires employers to destroy information collected during a hiring process within “two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant.”[14]

Washington: Rev. Code Wash. 19.375.020

This recent Washington law requires that possessors of biometric identifiers collected for commercial purposes retain them for “no longer than is reasonably necessary to… provide the services for which the biometric identifier was enrolled.”[15]

Federal Children’s Online Privacy Protection Rule: 16 CFR 312.10)

This rule by the US Federal Trade Commissions requires operators of websites or online services to retain PI collected from children for “only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”[16]

Conclusion

The above is just a sampling of privacy laws and many other US privacy laws generally regulate businesses and specific industries. If you need help strategizing how privacy requirements impact your RIM program, Zasio Consulting is here to help, contact Zasio.[17]

 

[1] Arizona (SB1614, HB2729), California (CPRA passed), Hawaii (HB 963), Illinois (SB2263, SB2330, HB5603), Maryland (HB0249, HB0784, HB1656), Minnesota (HF 3936), Nebraska (LB746), New Hampshire HB1236), New Jersey (A2188, A3255), New York (S224, S5642), South Carolina (H4812), Virginia (HB473), Washington (SB6281), Wisconsin (AB870, AB871, AB872).

[2] DATA Privacy Act (H.R.8749), Privacy Office Enhancement Act (H.R.5678), Consumer Online Privacy Rights Act (S.2968), Privacy Score Act of 2020 (H.R.6227), Social Media Privacy Protection and Consumer Rights Act of 2019 (S.189), Privacy Bill of Rights Act (S.1214), Protecting Education Privacy Act (H.R.2724), Moving Americans Privacy Protection Act (S.1302), Passenger Privacy Protection Act of 2019 (S.1206), Genetic Information Privacy Act of 2019 (H.R.2155), Secure Data and Privacy for Contact Tracing Act of 2020 (H.R.7472), Consumer Data Privacy and Security Act of 2020 (S.3456), Online Privacy Act of 2019 (H.R.4978) to name a select few.

[3] The California Privacy Rights Act (CPRA) Section 24. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf

[4] ID at sections 10 and 13.

[5] ID at sections 3A, 5-12.

[6] ID at section 14

[7] ID at sections 4, 12(7)

[8] Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301). https://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=9&snum=129

[9] Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A) Section 210.  https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec210

[10] Illinois Biometric Information Privacy Act (740 ILCS 14/) Sec. 15 (a).  https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

[11] COMAR 09.12.22.01 (C).  http://www.dsd.state.md.us/comar/comarhtml/09/09.12.22.01.htm

[12] NY CLS Gen Bus 899-bb (2)(b)(ii)(C)(4). https://www.nysenate.gov/legislation/laws/GBS/899-BB

[13] Tex. Bus. & Com. Code 503.001 (c)(3),(c-1). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm

[14] Utah Code Ann. 34-46-203 (2). https://le.utah.gov/xcode/Title34/Chapter46/34-46-S203.html?v=C34-46-S203_1800010118000101

[15] Rev. Code Wash. 19.375.020 (4)(b). https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.020#:~:text=RCW%2019.375.020-,Enrollment%2C%20disclosure%2C%20and%20retention%20of%20biometric%20identifiers.,identifier%20for%20a%20commercial%20purpose.

[16] 16 CFR 312.10. https://www.ecfr.gov/cgi-bin/text-idx?SID=d2d4616077fe505e154978fae9519ff3&mc=true&node=pt16.1.312&rgn=div5#se16.1.312_110

[17] https://www.zasio.com/consulting-services/

 

In an ever-changing competitive world, businesses need to be flexible with technology and work environments. This flexibility allows employees to work from remote locations, on-site and from home offices on company-owned or personal devices such as cell phones, laptops and tablets. With this technology comes the responsibility of the business owner to protect their valuable records, trade secrets, proprietary information, intellectual property, and personally identifiable information stored on those devices. Federal, state and international laws require companies to protect personal information and lay down heavy sanctions when that information is not properly secured.

Courts have routinely held through the Federal Electronic Communications Privacy Act that when an employee uses a company-owned device, they have no reasonable expectation of privacy. If you use a company-owned device, it is the property of the employer, as is the information stored on it. Employers are free to monitor those devices once consent is given. California recently updated their Consumer Privacy Act to better protect consumers and it excludes employees from this definition from consumers. The law states that the title does not apply to a natural person’s personal information collected and used by the business solely within the context of the natural person’s role or former role as a job applicant, an employee of or a contractor of that business.

The advantage of mobile devices is the convenience of access to your records and information in real-time, allowing your employees to be competitive and stay on top of your business needs. It is beneficial for an employee to remain in contact with coworkers and customers, and mobility allows for faster communication, such as drafting an email during the train or bus ride home. Mobile devices have increasingly greater file storage capacity and ease of sharing those files. Mobile apps can be used to schedule, design and collaborate, and can be tailored to your business specifics. A mobile work-station reduces the cost of having dedicated office space for employees.

The disadvantages are that devices are portable and valuable records and information can be lost through damage or loss of the device. Devices can be stolen, allowing unauthorized access to sensitive data if they have not been properly secured with passcodes, biometric authentication, and encryption. Mobile devices can be easily hacked through phishing scams, social engineering, malicious apps freely downloaded, or unsecured Wi-Fi. Accessible information on a device could include: passwords, credit card numbers and banking information, text messages, phone calls, recently visited sites, GPS location, contacts, recent files and deleted files. Information cached on a mobile device may still be discoverable even if the original copy was deleted based on the company’s retention schedule.

Many states have laws with specific requirements for the use of devices. South Carolina Code § 38-99-20, requires insurance companies to implement security measures to protect by encryption nonpublic information transmitted over external networks and stored on laptop computers, portable computing or storage devices or media, regularly test to detect attempted attacks, include audit trails to detect and respond to cybersecurity events and protect against destruction, loss, or damage of nonpublic information due to environmental hazards.

Warren Bean, Sr. Sales Engineer for Zasio, recommends a few security measures to encourage compliance for company-owned mobile devices:

• Use randomly-generated passwords so that you can’t fall victim to social engineering tricks (such as getting your pet’s name or favorite color from your social media account);
• Don’t use the same password on multiple apps or sites;
• Never click on links or attachments from unknown sources;
• Don’t leave your mobile device unattended;
• Keep up to date on operating system updates and browser patches (the bad guys scour the internet looking for unpatched systems);
• Use the strongest authentication methods available for your device, such as fingerprints and facial recognition, two-factor authentication, and automatic lock-outs for too many failed login attempts;
• If you frequently utilize public wi-if networks consider investing in a VPN service that routes your data through an encrypted private network, especially when traveling in foreign countries;
• Company-owned devices should also be centrally managed via mobile device management software that allows for remote updating and wiping of devices.

Ultimately, employers need a clear policy for company-owned devices regarding consent, record retention and how they will monitor, access, view and preserve employee texts, emails and other mobile device information. Employers need to verify the legitimacy of the applications, understand where any data is being stored, how it’s being transmitted, and whether privacy agreements exist between the organization and the data processor. If you have any questions on your company’s policies or how company-owned devices should be accounted for in your records management strategy, contact Zasio.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Now that the one-year anniversary of the GDPR implementation date has come and gone, many in the business world are collectively exhaling after a long and arduous period of privacy compliance efforts. But the respite is short-lived: preparations are already underway to handle the new California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020 (pending any last-minute amendments during the interim). The CCPA has a one-year lookback period, meaning that CCPA-compliant recordkeeping should already be well underway. However, another challenging new privacy law is already potentially looming on the horizon. New York lawmakers recently introduced a groundbreaking new piece of legislation that in some aspects might be significantly tougher than either the GDPR or the CCPA. If passed as written, the New York Privacy Act may represent a seismic shift in how companies use and manage their customers’ personal data. While similar to other privacy laws in many respects, the draft law may have dramatically sharper teeth due to two important provisions.

In the first, it imposes a completely novel new duty on anyone processing consumer personal data, which the law calls a “data fiduciary.” A data fiduciary must exercise the “duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Any third party with whom the fiduciary shares or sells data must also agree to abide by that same standard. Furthermore, to avoid any doubt, the law clarifies that the data fiduciary duty “shall supersede any duty owed to owners or shareholders of a legal entity or affiliate thereof, controller or data broker, to whom this article applies.”

Acting in a way that protects the interests of consumers is a worthy goal, but the immediate issue with this provision for many businesses is that processing personal data for use in marketing, including the selling of targeted advertisements, generally confers a financial benefit on the company at the expense of consumers’ privacy. And although the businesses have a duty to their shareholders to manage the business in a profitable way and extract value from its assets, that duty now takes a backseat to their obligations to consumers. The practice is so lucrative that it has become an indispensable bedrock revenue stream for some of the largest tech giants of Silicon Valley, without which many of those companies may not be profitable at all.

In the second, the law departs from the CCPA by granting an expansive private right of action to consumers who have been harmed by non-compliance with the law. The CCPA mostly leaves enforcement to the California Attorney General, allowing private persons to recover damages only in the limited event of a data breach that exposes their unencrypted personal information. But New York’s draft law would instead give every individual the right to sue to enjoin any activity that violates the law and/or recover damages. The private right of action would potentially force companies to defend against a barrage of lawsuits, particularly class-action lawsuits, from a variety of different claimants. A similar provision was contemplated for the CCPA but was ultimately excluded from the final version after an intense round of lobbying from business interests.

Taken together, those two features could constitute a one-two punch that deals a heavy blow to company bottom lines by exposing them to open-ended liability while simultaneously hampering many of their most reliable and profitable revenue streams.

In addition, the law also doesn’t have any type of revenue hurdle for bringing businesses into its enforcement purview. The CCPA sets the threshold for compliance at one of the following: $25 million in revenue, service of 50k or more California consumers or devices, or deriving at least 50% of revenue from selling California consumers’ personal information. Conversely, the New York Privacy Act would be applicable to all entities and individuals, large and small—which could potentially make compliance for small businesses very tricky or expensive.

Since this bill is still only in draft form in committee, a lot could change before it is put for a vote or enacted into law. And with New York and other states joining California in a push to regulate personal data privacy, the incentive to replace a myriad of State-level laws with one unified Federal privacy act may grow even stronger in the near future. As they wait for the legislative process to unfold, in the meantime business managers and privacy professionals should continue to build out their capacities to monitor and control their processing of personal data so that they will have the flexibility and agility to be able to proactively manage requirements like the New York Privacy Act and other future regulatory developments.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.